Buy or Renew
Buy or Renew
Cisco + Splunk: It’s a new day for your data. Learn more.
 
cancel
Turn on suggestions
Auto-suggest helps you quickly narrow down your search results by suggesting possible matches as you type.
Showing results for 
Search instead for 
Did you mean: 
cancel
Start a conversation
516
Views
2
Helpful
4
Replies

VLANs

Go to solution
2309178
Level 1
Level 1

‎03-08-2024 09:31 PM

Scenario:

I have one router, 3 switches, 6 computers and 6 vlans.

vlan 10: 192.168.10.1
vlan 20: 192.168.20.1
vlan 30: 192.168.30.1
vlan 40: 192.168.40.1
vlan 50: 192.168.50.1
vlan 60: 192.168.60.1

I need vlan 10 and 20 to communicate, as well as vlan 50 and 60 to communicate. I managed to do this with trunk allowed and encapsulation but vlan 10 and 20 can see vlan 50 and 60. How do I prevent them from seeing each other and only see the ones I mentioned above?

if you could help me, I would appreciate it very much.

1 person had this problem
Labels:
0 Helpful
2 Accepted Solutions

Accepted Solutions

Go to solution
Gopinath_Pigili
Spotlight
Spotlight

‎03-08-2024 10:20 PM - edited ‎03-08-2024 10:21 PM

Hello 2309178,

Assuming that you have configured inter-vlan configuration correctly...,You can implement Access Control Lists(ACL's) to block the communication between vlans...I recommend an Extended Named ACL. ACL is  stateless, that's the reason, if you apply ACL on a router, then you would also need to allow the return traffic, unless you configure CBAC (ip inspect).

Here is the sample configuration:

ip access-list extended Allow_Vlan

permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.50.0 0.0.0.255 192.168.60.0 0.0.0.255

permit ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255

deny ip any any

Finally apply the acl  on interface level.. I think..There is no difference applying ACL on physical or sub interface as ACL is layer 3 and 4, not lower layer, hence doesn't make any diffrence applying it on the physical or sub interface.

Best regards
******* If This Helps, Please Rate *******

 

View solution in original post

Go to solution
Gopinath_Pigili
Spotlight
Spotlight
In response to 2309178

‎03-09-2024 06:22 PM

you have to apply the acl under interface at inbound direction....

Interface Gig0/0

ip access-group Allow_Vlan in 

Please check...whether you have implemented acl in or out...if you give incorrect direction...acl won't take any effect

Best regards
******* If This Helps, Please Rate *******

 

View solution in original post

0 Helpful
4 Replies 4

Go to solution
Gopinath_Pigili
Spotlight
Spotlight

‎03-08-2024 10:20 PM - edited ‎03-08-2024 10:21 PM

Hello 2309178,

Assuming that you have configured inter-vlan configuration correctly...,You can implement Access Control Lists(ACL's) to block the communication between vlans...I recommend an Extended Named ACL. ACL is  stateless, that's the reason, if you apply ACL on a router, then you would also need to allow the return traffic, unless you configure CBAC (ip inspect).

Here is the sample configuration:

ip access-list extended Allow_Vlan

permit ip 192.168.10.0 0.0.0.255 192.168.20.0 0.0.0.255

permit ip 192.168.20.0 0.0.0.255 192.168.10.0 0.0.0.255

permit ip 192.168.50.0 0.0.0.255 192.168.60.0 0.0.0.255

permit ip 192.168.60.0 0.0.0.255 192.168.50.0 0.0.0.255

deny ip any any

Finally apply the acl  on interface level.. I think..There is no difference applying ACL on physical or sub interface as ACL is layer 3 and 4, not lower layer, hence doesn't make any diffrence applying it on the physical or sub interface.

Best regards
******* If This Helps, Please Rate *******

 

Go to solution
2309178
Level 1
Level 1
In response to Gopinath_Pigili

‎03-09-2024 07:17 AM

  1. I used access-list but is the same, i don't know if I'm doing it bad. 
  2. https://imgur.com/a/3gbm8FF this is a picture of my try (It isn't my real project but is the same concept)
0 Helpful

Go to solution
Gopinath_Pigili
Spotlight
Spotlight
In response to 2309178

‎03-09-2024 06:22 PM

you have to apply the acl under interface at inbound direction....

Interface Gig0/0

ip access-group Allow_Vlan in 

Please check...whether you have implemented acl in or out...if you give incorrect direction...acl won't take any effect

Best regards
******* If This Helps, Please Rate *******

 

0 Helpful

Go to solution
Joseph W. Doherty
Hall of Fame
Hall of Fame

‎03-09-2024 04:59 AM

As @Gopinath_Pigili already describes, you can use extended ACLs on the VLAN L3 interfaces to control what traffic is allowed to enter and/or exit your subnets.  Such ACLs, can be very specific to IP and ports being allowed or denied.

As he also mentioned, firewall features (if supported) provide additional options.

If your router supports NBAR, you can also have further/deeper packet analysis.

If your router supports VRF, you would also have the option to create virtual L3 domains (sort of the L3 version of L2 VLANs).

Customers Also Viewed These Support Documents
Review Cisco Networking for a $25 gift card